Failed Incident Responses from 2017 Provide Important Case Studies

Professors in the field of cybersecurity often find themselves in an interesting position when trying to provide relevant examples for failed cybersecurity incident handling. Usually, when presenting real-world scenarios in the classroom, examples are limited in their description, with incomplete data leading to supposition, or aged in their relevance, and instructors harkening back to big-splash events like the 2013 Target data breach.

This makes for classroom experiences that can be interesting in theory, but not as resonant as they could be in the current landscape. Instructors can either leverage examples of smaller breaches with sufficient data, or wait for the collective classroom groan from a tired discussion.

However, 2017 has come to the rescue in horrifying yet remarkable fashion. With huge, multi-order effect breaches, such as the Equifax hack, and the bribe-payoff Uber attack, instructors are armed with new, relevant material that can provide excellent case studies on how not to respond to an incident.

Indeed, 2017 is a year that will come up in many different classrooms, especially considering the poor handling of the far-reaching Equifax data breach. Never have so many Americans experienced such deep compromise of their identities.

If you have credit, you have a problem – and there is very little, beyond implementing credit freezing, that individuals can do to remedy the situation. While the data breach itself is worth a semester of study, the handling is worth another. Starting with the importance of patch management and ending with proper communication to the public, the Equifax breach checks all the boxes of a classic failure in incident handling.

For example, while WannaCry provided an illustration for proper patch management as a rule of thumb, Equifax has testified, in Congress, that its failure to secure customer information directly resulted from poor patch management and communication. To make matters worse, Equifax proceeded to highlight the importance of proper external communication to customers.

The company provided a tool which users could use to identify if their information was compromised. However, in its initial form, the tool contained a legal mechanism through which individuals self-limited their legal response options, making it harder to pursue recompense.

To compound this poor handling, it was discovered that the organization knew about the breach well in advance of announcing its existence, and several insiders suspiciously sold stock before the announcement – prompting an investigation by the Justice Department. No matter how professors decide to present this information, they will not find themselves wanting for examples of lessons that must be learned.

Another gift of 2017 was the revelation of the year-old Uber hack. In this instance, instead of handling the compromise of information pertaining to over 50 million people, including driver’s license information, Uber opted to treat the incident like a ransomware infection and pay the attackers in exchange for “proof” that the information was destroyed. Without disclosing the methods of deletion verification, beyond stating that Uber “obtained assurances,” there is no real indication that a copy of the data is sitting, unsecured, awaiting nefarious usage.

Furthermore, multiple news outlets have opined that the cover-up stemmed primarily from the negative press coverage Uber started receiving during the time of the incident, with insiders dreading a compounding effect. After analyzing the year Uber has experienced, any observer can realize that proper incident handling appeared to be an organization-wide issue that was not specific to its cybersecurity professionals.

While 2017’s “gift” of poor incident response examples is bountiful, and will provide instructors and professors fodder for years to come, it is important to remember that every failure provides opportunities to highlight success.

These case studies will serve to emphasize the sound practices that cybersecurity professionals should leverage and learn in training, such as having an effective and well-defined incident communication procedure to ensure that problems are effectively conveyed without leveraging trickery or misdirection. Students will also learn the importance of proper patch management and adherence to policy.

Organizations that hold these tenets close and adhere to proper process, procedure, and planning experience less trauma and respond more effectively to the inevitable incident. The struggles of 2017 prove that every cloud has a silver lining.

No matter how it’s viewed, 2017 has been momentous for cybersecurity. This year has brought the world a clearer view of the menacing threats and difficult decisions faced every day by security professionals. However, despite the compromise and concern, we can at least be thankful for the gift of future case studies.

This is part of a series of blogs written exclusively for Infosecurity by ISACA